package com.ss.web.tagmark.init;

import java.util.Arrays;
import java.util.HashSet;

import javax.servlet.http.HttpServletRequest;

import org.springframework.security.web.util.matcher.RequestMatcher;

/**
 * 定义需要验证CSRF请求，也就是哪些请求需要验证csrf的token
 * 
 * @author taofucheng
 *
 */
public class DefaultRequiresCsrfMatcher implements RequestMatcher {
	private final HashSet<String> allowedMethods = new HashSet<>(Arrays.asList("GET", "HEAD", "TRACE", "OPTIONS"));

	/*
	 * (non-Javadoc)
	 *
	 * @see
	 * org.springframework.security.web.util.matcher.RequestMatcher#matches(
	 * javax. servlet.http.HttpServletRequest)
	 */
	@Override
	public boolean matches(HttpServletRequest request) {
		boolean isAjax = "XMLHttpRequest".equalsIgnoreCase(request.getHeader("x-requested-with"));
		return !this.allowedMethods.contains(request.getMethod()) && !isAjax;//POST请求，以及非ajax请求，需要验证token
	}

}
